hi,
we are currently monitoring windows security event logs across 3000 machines in our organization using UF's, these UF's forward data to a HF and the HF routes data to a Syslog server (for backup) and Splunk indexers.
This all works fine so far, but we now have a requirement to forward the event logs that are stored in syslog to third party software/server and this is causing issues.
Instead of going through all the pain of parsing these logs in rsyslog. we are planning to replace UF's with HF's on all these boxes and directly forward to indexer and syslog from the endpoint.
The question here is , will installing HF's on 2-3 thousand endpoints cause any spike in performance or will it cause any remote management issues?
Thanks in advance.
↧